PhenixID

Step by Step – Cambio Cosmic Nova SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to provide Single-Sign-On and Single Logout to Cambio Cosmic Nova (web, tablet and rich client) using SAML with PhenixID Authentication Services as SAML IdP.

 

System Requirements

  • PhenixID Authentication Services 2.0 or higher
  • Information about the Cambio Cosmic Nova environment: Assertion Consumer Location URL, entity ID, signing certificate, Single Logout URL (normally, the Single Logout URL is the same as Assertion Consumer Location URL).
  • Cambio Cosmic Nova test account

Instruction

Set up PhenixID Authentication Services as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here). Make sure to fetch the Nova userID (hsaID or other attribute) during authentication.
  2. Modify the execution flow in order to create the SAML assertion properly:
    1. Add a valve to include the property role with the value nova-user. Make sure to place it before the AssertionProviderValve.
    2. Click Save
    3. Click Advanced
    4. Click Pipe Valves
    5. Locate the AssertionProvider valve used in the flow.
    6. Edit the AssertionProvider valve. Make sure you have an item property named hsaid (fetched from previous valve in the pipe, for example an LDAP search or a certificate attribute).
      Set these params:
      – nameIDAttribute = hsaid
      – additionalAttributes=role
      – misc object:
      * excludeSubjectNotBefore=true
      * nameIdFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      Example:

      {
       "id": "ee8e40fb-c911-40f4-8c13-1c4afcd9b732",
       "name": "AssertionProvider",
       "enabled": "true",
       "config": {
       "targetEntityID": "d84fd37a-b591-42cf-b9f5-297edb835c54",
       "userNameAttribute": "hsaid",
       "nameIDAttribute": "hsaid",
       "additionalAttributes": "role",
       "guide_ref": "daabf4bd-ece3-47dc-8192-e0e7fb255dde",
       "misc": {
       "excludeSubjectNotBefore": "true",
       "nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
       }
      
       },
      
       "created": "2017-10-26T15:04:05.335Z",
      
       "modified": "2017-11-08T07:55:33.852Z"
      
       }
  3. Click Stage Changes
  4. Click Commit Changes.
  5. Download the IdP SAML Metadata and provide it to the technical contact from Cambio Cosmic Nova.
  6. Configure Cambio Cosmic Nova to trust the IDP [Not documented here].

 

Add Cambio Cosmic SAML SP Metadata to PhenixID Authentication Services

  1. Create Cambio Cosmic Nova SAML SP Metadata XML file. Use the template data below and replace values in italic. Place the text in a file using a text editor and save it as a xml file.
    <?xml version="1.0" encoding="UTF-8"?>
    <EntityDescriptor entityID="entityID_of_cosmic_usually_fetched_from_enviroment_variable_cambio.env.saml.issuerid" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:KeyDescriptor use="signing">
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:X509Data>
     <ds:X509Certificate>SP_Signing_Certificate_of_cosmic</ds:X509Certificate>
     </ds:X509Data>
     </ds:KeyInfo>
     </md:KeyDescriptor>
     <md:KeyDescriptor use="encryption">
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:X509Data>
     <ds:X509Certificate>SP_Signing_Certificate_of_cosmic</ds:X509Certificate>
     </ds:X509Data>
     </ds:KeyInfo>
     </md:KeyDescriptor>
     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="Logout_URL_of_cosmic_which_is_the_same_as_SP_assertion_consumer_url"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="SP_assertion_URL_of_cosmic_usually_fetched_from_enviroment_variable_cambio.env.saml.sp.url"></AssertionConsumerService>
    </md:SPSSODescriptor>
    </EntityDescriptor>
    1. Example metadata:
      <?xml version="1.0" encoding="UTF-8"?>
      <EntityDescriptor entityID="urn:nova-demo:cosmicnova" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
      <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <md:KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
       <ds:X509Certificate>MIIHgTCCBmmgAwIBAgITQgABaATUSkdKpTPt7wABAAFoBDANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJTRTEPMA0GA1UEBxMGS2FsbWFyMSwwKgYDVQQDEyNLYWxtYXIgTGFucyBMYW5kc3RpbmcgSXNzdWluZyBDQSAwMTAeFw0xODA0MDQxNjExMzRaFw0yMTA0MDMxNjExMzRaMHQxCzAJBgNVBAYTAlNFMQ8wDQYDVQQHEwZLYWxtYXIxHjAcBgNVBAoTFUthbG1hciBMYW5zIExhbmRzdGluZzELMAkGA1UECxMCSVQxJzAlBgNVBAMTHmNvc21pY25vdmFwcm9kLmxrbC5sdGthbG1hci5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkxFvd2jU5ougDnG/PuBA7xxWQK6NeOY6fvC/ecl7f9NYjVdcWbH/sjZIburlBcXLBoKydEZUiq8i+ENxxi4b71bbT+qBk8b3TRMiogNA7o7g63LGJh7765PMA5N1srlvkx2yGbRnrzYefkqSIsEY2ZW5lpVGZBy+4bKNzC5pLDbyAC8hipDyJJpwCoe1z+aRFPDOvDQJZxTVde0HnTZaUG/1bFWEmgZS+b66Q4pmJKNDaUASp/kOgVYEKmCo340IupHazcZaTxnNg0z9i/V1LZJn6/otodF9dGBmo2CXo48bceBCPC7lQrtjKz/KiEAjw7DxA0fUCZ4aTr8MckBD8CAwEAAaOCBDIwggQuMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIG+2QmGjNEnh/mPN4euohOB959zTYLgyC+F9KQTAgFkAgEkMEkGA1UdIARCMEAwPgYIKoVwgWUBAQEwMjAwBggrBgEFBQcCARYkaHR0cDovL3BraS5sdGthbG1hci5zZS9jcHMvY3BzLmh0bWwAMCgGCSsGAQQBgjcVCgQbMBkwCwYJKoVwgWUBAgEBMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAeBgNVHSUEFzAVBgkqhXCBZQECAQEGCCsGAQUFBwMBMB0GA1UdDgQWBBRSOa2vnMYLbKqidHKNNP6TC+PUhDApBgNVHREEIjAggh5jb3NtaWNub3ZhcHJvZC5sa2wubHRrYWxtYXIuc2UwHwYDVR0jBBgwFoAUSlb4esx1RDcFBh/VJifghTTN5E4wggFsBgNVHR8EggFjMIIBXzCCAVugggFXoIIBU4ZMaHR0cDovL3BraS5sdGthbG1hci5zZS9jcmwvS2FsbWFyJTIwTGFucyUyMExhbmRzdGluZyUyMElzc3VpbmclMjBDQSUyMDAxLmNybIaCAQFsZGFwOi8vL0NOPUthbG1hciUyMExhbnMlMjBMYW5kc3RpbmclMjBJc3N1aW5nJTIwQ0ElMjAwMSxDTj1LYWxtYXIlMjBMYW5zJTIwTGFuZHN0aW5nJTIwSXNzdWluZyUyMENBJTIwMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGtsLERDPWx0a2FsbWFyLERDPXNlP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCCAW4GCCsGAQUFBwEBBIIBYDCCAVwwWAYIKwYBBQUHMAKGTGh0dHA6Ly9wa2kubHRrYWxtYXIuc2UvYWlhL0thbG1hciUyMExhbnMlMjBMYW5kc3RpbmclMjBJc3N1aW5nJTIwQ0ElMjAwMS5jcnQwgdMGCCsGAQUFBzAChoHGbGRhcDovLy9DTj1LYWxtYXIlMjBMYW5zJTIwTGFuZHN0aW5nJTIwSXNzdWluZyUyMENBJTIwMDEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGtsLERDPWx0a2FsbWFyLERDPXNlP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcDAxLmx0a2FsbWFyLnNlL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHfb5epenWnMrVWcTrs0waN7SNVKp24CwRSdjbfdzgdVGR2ua4INuX6ekW9ljncAF1nsYh8sjROJ3nDsojyKa6MJmRvfeTOJF3gNN+dsjSYVKLO3ql3YgyAsBguN71r37BMQqzwGmRadLWY65/kMLQopq5WkX1v6pPuOgcl4wd/dNo9xRMQrsZnUVN+WAlWIuXjvcdjr6qrEPhCPnUz87wHESYoBBoiK+z1UgiN/mcuoaNbd8kOPoDDa23hM5n/tOVHg1oC6JrJRgf5YJxir0QbxU4LamPTx43RM1Vrae8nh8CnXf98qZEtU6obQxg5ixPPGMBhFXuslMx5B3SV5wno=</ds:X509Certificate>
       </ds:X509Data>
       </ds:KeyInfo>
       </md:KeyDescriptor>
       <md:KeyDescriptor use="encryption">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
       <ds:X509Certificate>MIIHgTCCBmmgAwIBAgITQgABaATUSkdKpTPt7wABAAFoBDANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJTRTEPMA0GA1UEBxMGS2FsbWFyMSwwKgYDVQQDEyNLYWxtYXIgTGFucyBMYW5kc3RpbmcgSXNzdWluZyBDQSAwMTAeFw0xODA0MDQxNjExMzRaFw0yMTA0MDMxNjExMzRaMHQxCzAJBgNVBAYTAlNFMQ8wDQYDVQQHEwZLYWxtYXIxHjAcBgNVBAoTFUthbG1hciBMYW5zIExhbmRzdGluZzELMAkGA1UECxMCSVQxJzAlBgNVBAMTHmNvc21pY25vdmFwcm9kLmxrbC5sdGthbG1hci5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkxFvd2jU5ougDnG/PuBA7xxWQK6NeOY6fvC/ecl7f9NYjVdcWbH/sjZIburlBcXLBoKydEZUiq8i+ENxxi4b71bbT+qBk8b3TRMiogNA7o7g63LGJh7765PMA5N1srlvkx2yGbRnrzYefkqSIsEY2ZW5lpVGZBy+4bKNzC5pLDbyAC8hipDyJJpwCoe1z+aRFPDOvDQJZxTVde0HnTZaUG/1bFWEmgZS+b66Q4pmJKNDaUASp/kOgVYEKmCo340IupHazcZaTxnNg0z9i/V1LZJn6/otodF9dGBmo2CXo48bceBCPC7lQrtjKz/KiEAjw7DxA0fUCZ4aTr8MckBD8CAwEAAaOCBDIwggQuMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIG+2QmGjNEnh/mPN4euohOB959zTYLgyC+F9KQTAgFkAgEkMEkGA1UdIARCMEAwPgYIKoVwgWUBAQEwMjAwBggrBgEFBQcCARYkaHR0cDovL3BraS5sdGthbG1hci5zZS9jcHMvY3BzLmh0bWwAMCgGCSsGAQQBgjcVCgQbMBkwCwYJKoVwgWUBAgEBMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAeBgNVHSUEFzAVBgkqhXCBZQECAQEGCCsGAQUFBwMBMB0GA1UdDgQWBBRSOa2vnMYLbKqidHKNNP6TC+PUhDApBgNVHREEIjAggh5jb3NtaWNub3ZhcHJvZC5sa2wubHRrYWxtYXIuc2UwHwYDVR0jBBgwFoAUSlb4esx1RDcFBh/VJifghTTN5E4wggFsBgNVHR8EggFjMIIBXzCCAVugggFXoIIBU4ZMaHR0cDovL3BraS5sdGthbG1hci5zZS9jcmwvS2FsbWFyJTIwTGFucyUyMExhbmRzdGluZyUyMElzc3VpbmclMjBDQSUyMDAxLmNybIaCAQFsZGFwOi8vL0NOPUthbG1hciUyMExhbnMlMjBMYW5kc3RpbmclMjBJc3N1aW5nJTIwQ0ElMjAwMSxDTj1LYWxtYXIlMjBMYW5zJTIwTGFuZHN0aW5nJTIwSXNzdWluZyUyMENBJTIwMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGtsLERDPWx0a2FsbWFyLERDPXNlP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCCAW4GCCsGAQUFBwEBBIIBYDCCAVwwWAYIKwYBBQUHMAKGTGh0dHA6Ly9wa2kubHRrYWxtYXIuc2UvYWlhL0thbG1hciUyMExhbnMlMjBMYW5kc3RpbmclMjBJc3N1aW5nJTIwQ0ElMjAwMS5jcnQwgdMGCCsGAQUFBzAChoHGbGRhcDovLy9DTj1LYWxtYXIlMjBMYW5zJTIwTGFuZHN0aW5nJTIwSXNzdWluZyUyMENBJTIwMDEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGtsLERDPWx0a2FsbWFyLERDPXNlP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcDAxLmx0a2FsbWFyLnNlL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHfb5epenWnMrVWcTrs0waN7SNVKp24CwRSdjbfdzgdVGR2ua4INuX6ekW9ljncAF1nsYh8sjROJ3nDsojyKa6MJmRvfeTOJF3gNN+dsjSYVKLO3ql3YgyAsBguN71r37BMQqzwGmRadLWY65/kMLQopq5WkX1v6pPuOgcl4wd/dNo9xRMQrsZnUVN+WAlWIuXjvcdjr6qrEPhCPnUz87wHESYoBBoiK+z1UgiN/mcuoaNbd8kOPoDDa23hM5n/tOVHg1oC6JrJRgf5YJxir0QbxU4LamPTx43RM1Vrae8nh8CnXf98qZEtU6obQxg5ixPPGMBhFXuslMx5B3SV5wno=</ds:X509Certificate>
       </ds:X509Data>
       </ds:KeyInfo>
       </md:KeyDescriptor>
       <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cosmicnova.demo.se:8443/nova-auth/saml"/>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
      <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cosmicnova.demo.se:8443/nova-auth/saml"></AssertionConsumerService>
      </md:SPSSODescriptor>
      </EntityDescriptor>
  2. Upload the metadata file using this Federation Scenario.

 

Test

  1. Open a web browser
  2. Browse to https://<cambio_cosmic_nova_trigger_url>
  3. You should be redirected to the Idp (PhenixID Authentication Services)
  4. Authenticate
  5. You should be redirected back to Cosmic Nova
  6. You are now logged in to Cosmic Nova.

Troubleshooting

Use the SAML Tracer addon for Firefox to debug and trace the SAML messages. Verify that the nameID value and the role attribute is present in the SAML Assertion. Example extract:


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se